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(54) Improved method for secure access control. 

(57) A requester (102, 104) making a request for 
access to a destination (114,116) is prompted to 
supply additional authentication information, 
beyond -that which may be supplied by the 
requester in an attempt to meet a first level of 
security processing specified by the nature of 
the request itself, only if it is determined from a 
predetermined set of attributes of the particular 
access request that additional security proces- 
sing is necessary before access can be granted 
to the destination. 
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Only those individuals authored «o have access to "j^S^^S^SS^ 
as -destinations", should be granted such access, '^"^'^^l,. telephones, systems that 

rd:=r=irr^ 

ually or in combination, to confirm that the person requesting the Q ^ ess IS a y fetina tternS) 

is. Identifying characteristics that have been employed ^ c ^^^zl as it passes through a 
personal appearance, handwriting and even the manner mr in f 0 °rnation. One method employed 

portion of the body. These ^^"^rJ^^^SZZ^ of a code which may include 
to obtain such an al.eged identity is to ^J^^^J^X In via a keypad or scanned from 

a predetermined personal identif, cation nu^jWJJ- ^avfng a magneticaliy encoded version of the code, 
a device in the requester's possesion, e g a cred. * ca ™^" 9 « ri a previously stored representation 
The prior systems them attempt tc 'authen.cate the *^ ^ a „ eged with a repre . 

of at least one identifying ^^""^^jiSS^n measurements taken from the requester 

— is 9ranted: " access is 

^eachsuchprio^^^ 

in the nature of the request. ,.e.. all requests of the » "™ ™"T credjt cards always require that 

For example. 800-type calls require no securrfy rocess.ng ^ s of g ^ th>t a|ways 

a valid identification number be supplied so the call I may - be app p y ^ ^ of 

require that the measurement of the .dentrfy.ng *; ra ^" s ^^ 8 *^ re P who are authorized users. This 
processing prior to granting any form of ^J^^l-nea. Additionally, such 
burdensome level of security may be ""^^^'S^unrtl. to obtain access. This can result if the 
security measures can result in an authorized requester ^e.ng i u tf h identifying charac- 

requesW is temporarily unable to supply the requ.red ^XS^^S^iil characteristic is a voice 
teristic is fingerprint and the requester requester is undesir- 

sampie and the ^^^^^ " de "red transaction from occuring. Such unde*- 

^^^ix^^ a «~ i" T h r dulent access is rare,y sou or 

Sn other "asons make the value of the access check less signrf.cant. 

Summary of the Invention 

Th . difficulties „,.h pho, access anting systems a, overcom 
th. invention, by receiving from a requester > .que « fon access , 

te.lf specifying a first level of secunty process, ng. .ncT ' in ,„ anempl to m .et the first level 
. (cation information, beyond that «h«* may be suppl, * £^3^, ambutes o( th . particular access 
of security processing, only if it is determ.ned from » P™ d «' rm '™ be ted t0 , he destination, 

request that additional security P-ce.-g ,s .«ssa y ^ ^ 8 a< ^ ^ J sr ,„ th . teleph o„e context. 

J7e^:~^ 

^aS^^^^ 
' "tlpa— rnbod,me„,,if,he, r , r ,c, S ^^^^^^ 
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information is required, then access will not be granted unless such information is obtained. If the requested 
authentication information is supplied, that information may then be used, along with the request attnbutes, 
in an attempt to authenticate the alleged identity of the requester in accordance with the requirements speci- 
fied by the necessary additional security processing. If the requester is authenticated, access is granted 

5 A further feature of the invention is that different levels of access may be granted, depending upon a) the 

actual values of the set of attributes for the access request and b) the additional authentication informs ion 
supplied, if requested. Thus, in order to be granted increasingly greater levels of access, vanous different at- 
tributes and requests for various different authentication information may be involved. 

In accordance with another feature of the invention, such requesting and authentication may also be in- 

io voked iteratively, until the access desired by the requester is either granted or denied or there is no <urthar 
information which may be obtained from the requester. This iteration may be performed with or without the 

knowledge of the requester. . Ko 

In accordance with a further feature of the invention, rather than allowing only a single individual to be 
associated with each alleged requester identity, multiple individuals may be associated with a single alleged 
16 requester identity. If authentication is invoked for the alleged identity, any of the associated md.v.duals if rec- 
ognized, may be granted access. The type of access granted to each associated individual can be made further 
dependent upon a recognition of which of the individuals they are and a profile specially associated with that 
individual. 

20 Brief Description of the Drawing 

FIG^I thows 9 in simplified form, an exemplary telephone network embodying the principles of the inven- 

tion; , — in , 

FIG 2 shows an exemplary central security control system used in the network of FIG. i ; 
PIG. 3 depicts an expanded view of an exemplary requester authentication unit shown m the central se- 
curity control system of FIG. 2; , 
FIG. 4 shows an expanded view of an destination authentication unit 220 shown in the central security 

control system of FIG. 2; . 
FIGs 5. 6 and 7, when arranged as shown in FIG. 8, depict in flow chart form, an exemplary method of 
processing an access request by a requester to a destination where the security requirements for the grant- 
inq of access is specified by the destination; 

FIG. 9 shows an example of the call setup messages employed if a security system is to provide secured 
access by a user to a particular destination; and 

FIGs 10 and 11, when arranged as shown in FIG. 12, depict in flow chart form, an exemplary access re- 
quest by a requester to a destination where the security requirements for t he granting of access is specified 
by the requester or the network operators. 
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Detailed Description 

Shown in FIG. 1 , in simplified form, is exemplary telephone network 1 00 embodying the principles of the 
invention. Telephone network 100 comprises originating stations 102 and 104, local exchange earner (LEC) 
networks 106, 108 110 and 112, destination stations 11 4 and 116, bypass origin 115, bypass destination station 
117 and long distance network 118, illustratively the AT&T network. Originating stations 102 and 104, des in- 

46 ation stations 114 and 116, bypass origin 115 and bypass destination station 117 are representative of a plur- 
ality of network endpoints, the remainder of which are not shown for clarity of exposition. Only those port.ons 
of telephone network 1 00 necessary for calls to be made from an origin to a destination are shown 

LEC networks 106, 108. 110 and 112 contains switching machines 120, 122. 124, 126, respectively. Switch- 
ing machines 120. 122. 124, 126 are capable of connecting a plurality of network endpoints to long distance 

so network 118. Such switching machines are well known and may be, for example, AT&T's 5ESS® switch l Long 
distance network 118 comprises switching machines 128 and 130, network control point (NCF ) 132 central 
security control system (security system) 133 and optional adjunct processor (AP) 136. NCP 132 ,s of a type 
well known in the art. Switching machines employed in communications networks are well known Sw,tch.ng 
machines 1 28 and 1 30 are illustratively AT&T's No. 4 ESS™ switch. Additionally, security system 1 33 comprises 

55 security control points (SCP) 134-1 and SCP 134-2. , 

Switching machines 128 and 130, NCP 1 32. security system 1 33 and AP 136 are interconnected m the 
manner shown by signaling network 138, represented by dashed lines. Originating stations 102 and 104 des- 
tination stations 114 and 116, bypass destination station 117, switching machines 120. 122. 124. 126, switching 
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„■ ,™ 9 nn no and SCP's 134 are interconnected by information links 140, in the manner shown. In- 
Z^Z^^L would comprise a m* of conventionally known digital transm,ssK,n Imks. e.g.. DSO. DS, 

snown in n«. * /eppq\ 134 includinq security control point (SCP) 134-1 ana bur 

Qv^tem 1 33 comprises security control points (oors) inuiuui. .y acoui / r i n this 

bS "SIM ^T^Tare both connected to switching machine 128 b, at least one requester information 
path^ltleas,^ 

*eCr:r^^^ 

plurality of elements connected to access d.c,s,on un» 208b) ''^^ *"^ a ™ ^ de8 L ti0 „ auth e„. 
Ltion unit 21 8 is also interconnected with user prof to storage un 1 210 by mk 224 and 

reouester challenge 80S ^^^^^^S^ path 204. User authenti- 

^^^^^ 




EP 0 534 673 A2 



valued at up to $200 if they are authenticated to at least a first level of authentication. Transactions of greater 
value need to be authenticated to a second, higher, level of authentication. This security information has been 
stored in destination profile storage 216 (FIG. 2). For the convenience of its authorized users, the bank has 
provided a toll free 800-type number which requesters can dial to gain access to the computer system. The 

5 necessary authentication information has been obtained from authorized users of the bank's computer sys- 
tem. This information has been stored in user profile storage 210 and user authentication data 312 (FIG. 3). 

The method begins at step 801 when a requester at originating station 102 is detected to go off hook by 
switching machine 120. Thereafter, in step 803, the requester dials the number of the destination to which ac- 
cess is sought. In this example, the requester dials from originating station 102 the bank's 800 number, 1-800- 

10 BANK. In step 805, switching machine 120 receives the dialed digits and recognizes that the number dialed 
is an 800 type number for which service is provided via long distance network 118. 

Switching machine 120 of LEC network 106, in step 807, routes the call to switching machine 128 in long 
distance network 118. Switching machines 128 routes the call to its appropriate associated NOP 132, as is 
typically performed for 800 type calls in step 809. The appropriate NCP 132 is determined from the function 

15 to be provided by the NCP to service the call and predetermined internal mapping tables contained within 
switching machine 128. Exemplary functions which are typically provided by NCP 1 32 are 800 and 900 number 
translation and conventional, well known credit card billing verification. Table 1 shows an exemplary NCP 132 
translation table wherein the address of one of SCPs 134 may be returned in response to a call that requires 
security processing. NPAis an abbreviation for numbering plan area, more commonly known as area code. 

20 

TABLE 1 - NCP Translation Table 
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Called number 


Originating NPA 


Translate to 


800-555-1234 


908 


908-949-3000 


800-555-1234 


any other 


609-555-9876 


800-BANK 


any 


SCP_134-1 


800-BANKXYZ 


any 


SCP_134-1 


900-INFOSVC 


any 


SCP 134-1 


800-STOKMKT 


212, 516, 718 


SCP_134-1 


900-555-0001 


any 


312-411-6543 



In step 811, when the address of one of SCPs 134 of security system 133 is supplied in place of number 
translation or billing verification information, NCP 1 32 recognizes that this call may require security processing 
beyond a first level inherent in the nature of the request and accordingly routes the call to security system 133. 
In a preferred embodiment, as described above, each of SCPs 1 34 contains all the data necessary to perform 
all authentications. Therefore, NCP 132 routes the call to the closest one of SCPs 134. For purposes of this 
example, the closest one of SCPs 134 is SCP 134-1. Therefore, NCP 132 always returns the address of SCP 
134-1, as shown in Table 1, when additional security processing beyond the first level may be required. 

In an alternate embodiment, each user would have a predetermined "home" one of the SCPs 134. This 
"home" one of the SCPs 134 would assigned based on a determined or inferred user identity. In a further al- 
ternate embodiment, each destination would have a predetermined "home" one of SCP 134s. The "home" one 
of SCPs 134 would be the one of SCPs 134 that is closest to the destination. Each NCP 132 would be asso- 
ciated with one of SCPs 134 and would initially route incoming calls that it receives to that one of SCPs 134. 
If the one of SCPs 1 34 to which the call was initially routed was not the "home" one SCPs 1 34 for the received 
call, that one of SCPs 134 would contain sufficient information to cause the call to be routed to the "home" 
one of the SCPs 134 of that call for security processing. 

SCP 134-1 receives the call information on requester signalling link 206. Upon receiving the call, SCP 134- 
1, in step 813 causes any first level of security processing specified by the nature of the. request to be per- 
formed. For a call to be charged to a credit card, such a specification of a first level of security processing is 
that a valid credit card number including the PIN portion, must be supplied by the requester. Other requests, 
such as direct distance dialed calls, 800-type and 900-type calls, have a null first level of security processing. 
This first level of security processing may be performed by SCP 134-1 itself or SCP 134-1 may request that 
the first level of security processing be performed by NCP 132 and the results of the processing be returned 
to SCP 134-1 via signalling network 138. 



5 



EP O 534 673 A2 



10 



In accordance with an aspect of the invention, step 815 tests if the requester has successfully met the 
requirements of the first level of security processing. If the test result in step 815 is NO, control is passed to 
step 817 in which SCP 134-1 causes the connection to be refused. Thereafter, control is passed to optional 
step 819 which journals an unsuccessful access attempt. The method is then exited at step 821. 

If the test result in atep'81 5 is YES, control is passed to step 823 in which access decision unit 208 looks 
up the destination in destination profile storage 216 to determine what levels of authentication are required 
to achieve each level of access that can be made available for this type of request. If there is no profile for a 
particular destination then additional security processing is not required by that destination. Table 2 shows 
several exemplary destination profiles. The attributes which may be considered for each request in this ex- 
ample are the destination billing (bill) type, list of permitted users and a specified additional attribute. The au- 
thentication information which must be supplied to achieve each corresponding authentication level are shown 
in Table 3. It is noted that the mapping of the authentication level to the access level to be granted is specified 
by the destination profiles shown in Table 2. 

TABLE 2 - SCP Destination Table - Attributes and Access Requirements 





Destination 


Bill Type 


Permitted Users 


Ada 1 AttriDUie 


r\UL N"l mo Lcvci 


Access Level 












1 


till $200 


20 


1-800-BANK 


- 


groupl 




2 
3 


over $200 
over $200 












o 


till $5000 


25 


1-800-BANK- 
XYZ 


- 
- 


group2 


- 


3 
4 


over $5000 
over $5000 








not group3 




0 


1 min 


30 


1-900-IN- 
FOSVC 


- 
- 


group3 
group3 


- 


1 
2 


10 min. 
1 hour 








any 


ANI=212 


0 


10 min. 


35 


1-800- 
STOKMKT 




any 


time=1000 
-1600 local 


1 


unlimited 


40 


Internatn'l Calls 
to 


CC 


any 


PFO 


N/A 


none 




country group 2 


CC 


any 


NPO 


3 


20 minutes 






CC 


any 


PFO 


2 


10 minutes 


45 


Internatn'l Calls 
to 


CC 


any 


PFO 


5 


30 minutes 




country group 1 


CC 


any 


NPO 


2 


unlimited 


50 


Domestic 






PFO from 






Calls 


CC 


any 


S. Bronx 


2 


unlimited 



55 



The "groupX" entries in the Permitted Users column, where X is a number, are pointers to lists of users 
who are authorized to gain access to the destination. Such lists would be stored in destination profile storage 
216 For example groupl wbuld be a pointer to a list of all identities of the users who were authorized by the 
bank to access the bank's computer system. As mentioned above, this information was previously supplied 
by the bank to the provider of long distance network 118. Similarly, the "country group X" entries in the des- 
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tination column are pointers to lists of countries which receive the same security treatment. CC stands for Cred- 
it-card Call. PFO stands for Public Phone Origination. NPO stands for Non-public Phone Origination. A dash 
indicates the particular attribute is hot considered for the specified destination. ANI is the abbreviation for Au- 
tomatic Number Identication which is the source of the request. In this example only the area code of the 
5 source is considered. Control is then passed to conditional branch point 825. 



TABLE 3 - SCP Authentication Level Table 





Authentication Level 


Authentication Means 


10 


0 


None 




1 


PIN (or Password) 




2 


Voice Print 


15 


3 


Finger Print 




4 


Retina Pattern 




5 


Keystroke Timing 


20 


N/A 


No Access allowable 



In accordance with the principles of the invention, whether a particular access request will require the re- 
quester to actually supply authentication information is dependent upon the any first level of security process- 
ing inherent in the request, as well as the specified security needs of the destination and the values of the 
other attributes of the access request. These attributes typically include the alleged identity of the requester 
and the available call information. Available call information can include the originating address,, e.g., auto- 
matic number identification (ANI), which would specify the location from which the access is sought; the des- 
tination to which access is sought which can be determined from the number dialed; the cost of the call, which 
may be expressed as a cost per unit of access or a cost reflecting the overall value of the access, and any 
other parameters of the call. 

In conditional branch point 825, access decision unit 208 of SCP 134-1 tests to determine, in accordance 
with the principles of the invention, if it can definitely allow access to be granted at the level requested, if it 
can definitely not allow access to be granted at the requested level or if it doesn't know whether it should allow 
access to be granted. For purposes of this example, each destination profile stored in destination profile stor- 
age 216 specifies the available levels of access and the corresponding set of attributes required to achieve 
authentication such that access to the destination can be granted at each level. Again, such profiles are shown 
in Table 2. In accordance with an aspect of the invention, upon the initial iteration of step 825 access will be 
caused to be granted to a requester since any first level of security processing inherent in the request has been 
met by the requester, unless a predetermined set of attributes of the particular access request matches a set 
of specified criteria for those predetermined attributes, in which case additional authentication information is 
requested from the requester. If the requested additional authentication information is supplied, that informa- 
tion is used as part of the available request attributes, along with the other request attributes, in an attempt 
to authenticate the alleged identity of the requester. If the requester is authenticated, access is granted. The 
attributes of a request that can be specified are any information concerning the access request that can be 
made available to security system 133. 

In accordance with the principles of the invention, if the test result in step 825 is YES, the predetermined 
set of attributes does not match the specified criteria for those attributes and therefore access should be grant- 
ed at the requested level-if any first level of security inherent in the request is met, which is assumed herein- 
-control is passed to step 827. In step 827 access decision unit 208 of SCP 134-1 obtains the destination au- 
thentication information. Destination authentication information is authentication information supplied by se- 
curity system 133 to a destination so that the destination knows that it is communicating with security system 
133. This information is stored in destination authentication store 408 (FIG. 4) and is retrieved therefrom via 
destination authentication processor 402 over link 404 and supplied via link 222 to access decision unit 208. 
This information is stored in destination profile storage 216 and is supplied to access decision unit 208 over 
link 222. Table 4 shows the information that SCP 134-1 will supply to each destination to authenticate itself. 
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TABLE 4 - SCP Destination Protocol Table 



5 


Destination 


SCP 
Login 


SCP 
Authentication 


Add'l 
Authentication 


10 


800-BANK 
800-BANKXYZ 
900-INFOSVC 
800-STOKMKT 


SCPXYZ 
ATT 


n as s word^its-mc 
password=qazxswedcv& 
Challenge/response protocol 


key=3 14159 
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In step 829 SCP 134-1 establishes a connection to destination station 114, in this example, the computer 
svstem S the bank This connection is established by destination authentication unit 220 and connects des- 
^Tn— path 230 to destination station 114 through switching 

130 LEC network 110, switching machine 124 and their respectrve interconnecting links SCP 134-1 engages 
n an au^h nation session with destination station 114 in step 831 . During this 

IT be discussed further below, SCP 1 34-1 can either identify itself as SCP 1 34-1 and indicate that ,t s vouch- 
ing ^ the register is a user who has been authorized to a specific ievel or SCP 134-1 can m.m.c the re- 

Tcp\Z I .TSpMS causes the requester at originating station 1 02 to be granted access to destination 
station 114 SCP 134-1 communicates to destination station 114 the level of access which « o be g« ted 
S register via destination cha.lenge/response 406. SCP 134-1 then causes ongin ating s at, 102 to be 
interconnected to destination station 114. This interconnection is accomp shed ■ J"^^ 

hoc *v, a acorocriate commands to directly interconnect switching machine 120 oT Ltu net 

Si 06 Etching ™^ connection would have been established had the functions of SCP 

not been invo L. SCP 134-1 also disconnects itself from the call. Thereafter, the method » exited at 

^Thetest result during the initial pass through step 825 is DON'T KNOW in accordance with an aspect of 
the .nvention ?* ^tte predetermined set of attributes matches the specified criteria for those chutes For the 
caT to the bank DON'T KNOW is the result for the initial iteration of step 825, because it is assumed that each 
^!t to be able to perform transactions in excess of $200. The DON'T KNOW result indicates that 

ccess sn3 not be granted immediately at the requested level and, instead, additions authentication infor- 
mal beyond that required for any security processing inherent in the request, should be requested in ac- 
cordance S the principles of the invention. Therefore, control is passed to conditiona branch pom 835 

SndWona branch point 835 tests to determine of there remains authentication information t ha can be 
oh Jned 1 The access requester, as specified in his profile, or alternatively, if additional authentication fea- 
Z S «n^sic^nT?!?nlcVmain which the requester has already supplied, if the test result ,n step 
835 is YES Ta^cordance with an aspect of the invention, control is passed to step 837 to obtain the next 

£ oTaddLna ^ authentication information specified in the profile. Exemplary user prof i.es are showr , , 
Table 5 If the identity of the requester is unknown during an iteration of step 835, the test result w.ll be YES. 
This is because at least an alleged identity can be requested. 
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TABLE 5 - SCP Originator (User) Table 
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Full Name 


Identity 


* Authentic Level 


Destination 


Access Level 






2 


1-900- WEATHER 


10 minVday 


John_Watanabe 


watan 


%J 


1 -900-WEATH ER 


1 hr./day 






3 


any other 900 


unlimited 








1 -800-BANKXYZ 


till $5000 






2 


1-900-SPORTS 


unlimited 


Joe_Williams 


Wlllj 


A 


1-900-SPORTS 


unlimited 






3 


1-900-INFOSVC 


30 min./call 


Sarah_Williams 


wills 




1 -Qnn.^PORTS 

i -auu-or ur\ i w 


unlimited 






N/A 


1-900-INFOSVC 


none 


Tom_Williams 


willt 


N/A 


1-900-SPORTS 


none 






N/A 


1-900-INFOSVC 


none 


Hank_Williams 


willh 


N/A 


1-900-SPORTS 


none 






N/A 


1-900-INFOSVC 


none 


Byron_McDoe 


bemc 


0 


any 


unlimited 



In step 837, SCP 134-1, as directed by access decision unit 208, tests to determine if an identity alleged 
by the "requester is already available. An identity may be available if it was specified as part of the first level 
of security processing, if it was already specifically requested as a part of additional security processing or it 
may be inferred from the characteristics of the request. Such an inference may be drawn if a call is placed 
from a phone having only on authorized user, e.g., a home phone or a locked phone. If the requester's identity 
is already available in step 837 the test result is YES and control is passed to step 839 and the identity available 
in step 837 will be used as the identity that was alleged by the requester, if an alleged identity is not available 
in step 837 the test result is NO and control is passed to step 841 . 

For purposes of this example, requesting and receiving an alleged identity is not part of the first level of 
security processing inherent in the request. This is because it is well known that the nature of conventional 
800-type calls by themselves, as requests for bandwidth connections to remote locations, do not to require 
any security processing for their completion, i.e., 800-type calls do not require that an identity of the caller be 
alleged orthat any form of authentication information be supplied by the caller. Therefore, in accordance with 
an aspect of the invention, the requesting of the identity, including a self-authenticating check sequence which 
is the user's PIN, is part of the additional security processing required for this particular 800-type call request. 
This additional processing is invoked based on the destination attribute of the request and the need to satisfy 
the permitted users attribute of the request before any access can be granted. In accordance with an aspect 
of the invention, if the requester supplies an identity code including the PIN portion that corresponds to an 
authorized user, he will be successfully authenticated to authentication level 1 (Table 3). Therefore, the re- 
quester will be able to at least perform transactions valued up to a total of $200, as can be seen from Table 2. 

In step 841, SCP 134-1 requests that the requester allege his identity. For purposes of this example, the 
request by SCP 134-1 for authentication information is in the form of computer synthesized speech telling the 
user to supply the identity that he wishes to allege. This request is generated by requester challenge 308 in 
response to instructions from requester authentication processor 302 received via link 304. Requester authen- 
tication processor 302 is itself responsive to commands received from access decision unit 208 via link 222. 
The generated request is supplied to requester information path 204 and transported back to the user via in- 
formation bearing facilities of switching machine 128, LEC network 106, originating station 102 and intercon- 
necting links therebetween. 

Conditional branch point 843 tests to determine if the user has provided the alleged identity information 
requested within a predetermined period of time and, if an alleged identity has been supplied, whether it .s. 
valid, i.e., whether it is the identity of an authorized user. This step may be accomplished as part of a first level 
of security processing specified by the nature of the request or it may be separately performed. An identity 
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can be alleged by supplying the digits of an identity code in the form of multi-frequency tones from the tele- 
nhnne L-pv/naH This identity code is unique to each authorized user. 

P The cod^ i, ^received % comparison function 31 0, which is a genera, purpose unit for rece.vmg da^ sup- 

S^ST^nSr un 20^end .message toswiicbin, machine 128 via renter sionaiiins 

, e « cZsponS to a permitted user as defined b, (h. permitted user attribute. Access deacon „„» ^208 
^^deintheiprc^.o,^ 

of failed anempts m y TIME-OUT occurred. This predetermined number may be one (1). If the 

S^^S £ 3 : P YE S :a "iid 2o£ was su PP .ied and control is passed back to conditional branch point 

825 'm «t™, 839 SCP 1 34-1 as directed by access decision unit 208. requests that the requester provide in- 

ilSS^CSr rttf lenge 308 in response to instructions form requester authentMt.cn processor 
SceTed Ja n ^ 304 ^^3 0 requester authentication processor 302 is itself responsive to commands .re- 

Conditional brancn poim o* a i» d assed t0 step 

!S?"«.JS3S2- — — •— — * Th « ™ ,h ° d ls ,he "* d at 8,ep 821 ' " 
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the test result in step 845 is YES, control is passed back to conditional branch point 825. 

For each type of authentication information there may be a "try again" threshold which when reached, 
during an iteration of step 825, indicates that the received authentication information yields an authentication 
that is close to the desired level but the authentication remains as yet uncertain. The values of the "try again" 
threshold may be dependent on the particular set of attributes for any given request. If the "try again" threshold 
is reached, access should not be granted to the desired level but the requester may be allowed to supply a 
different form of authentication information to obtain access in accordance with an aspect of the invention. 
Therefore, in accordance with an aspect of the invention, if the test result in subsequent iterations of step 825 
is that access decision unit 208 of SCP 134-1 remains unsure as to whether access should be allowed at the 
level requested, the test result in step 825 is DONT KNOW and control is passed to conditional branch point 
835 Table 6 shows several types of authentication information and the requirements to achieve access, to be 
denied access or to be allowed to "try again" for each type for use in step 825. X1 , X2, Y1 , Y2, Z1 , Z2 are system 
dependent implementor chosen parameters that determine the accuracy and tolerances of the particular rec- 
ognition and comparison system employed. Determination of such parameters will be obvious to one skilled 
in the art. As seen in Table 6 the following relationships among the parameters are required: X1>X2, YKY2, 
ZKZ2. DTW stands for Dynamic Time Warp, which is well known in the art. 

TABLE 6 - SCP Authentication Decision Table 



Authentication Info Type 


Access Denied 


Try Again 


Access Granted 


PIN or Password 


No Match 


80% Match 


. Ail Match 


Voice Print 


DTW > X1 


X2< DTW< X1 


DTW< X2 


Finger Print 


#Features 


Y1 < #Features 


#Features 




Matching < Y1 


Matching < Y2 


Matching < Y2 


Retina Pattern 


#Features 


Z1 < #Features 


#Features 




Matching < Z1 


Matching < Z2 


Matching < Z2 



In conditional branch point 825, access decision unit 208 of SCP 1 34-1 again tests to determine if it can 
definitely allow access to be granted at the level requested, if it can definitely not allow access to be granted 
at the requested level or if it doesn't know whether it should allow access to be granted. This determination is 
now based on the available call information specified by the destination profile as well as the probability de- 
veloped by either voice password 306 or comparison function 310 for the most recently received requester 
authentication information. If a voice password was requested, the "try again" threshold might be reached if 
a requester supplying a voice password is actually an authorized user suffering from nasal congestion. Such 
a user would be unlikely to gain access even if permitted to repeat the same voice password. Also, an imitator 
might improve hid imitation if given another chance. An advantage of this system is that the user suffering from 
nasal congestion would be permitted to provide other identifying information thereby authenticating himself. 
Also, the imitator would be less likely to be able to simulate and supply all the types of information which may 
be requested for authentication. Other methods of determining whether access should be allowed may be em- 
ployed. 

In this example, each authentication is evaluated independently even if insufficient. Even if an authenti- 
cation is insufficient to grant access, it must at least reach the "try again" threshold to continue the process. 
Other embodiments will be readily apparent without departing from the scope and spirit of the invention. This 
iterative requesting of additional authentication information may be performed, in accordance with an aspect 
of the invention, without the knowledge of the requester. This may be achieved by scanning the user without 
informing him or by more intensely processing the already obtained data so as to glean more insight as to the 
authenticity of the requester One method of scanning the user without informing him is to activate a video 
camera at his location and scan an image of the requester. Additional insight as to. the authenticity of the re- 
quester may be gleaned without obtaining further data from the user by, for example, by processing already 
obtained voice samples with additional analyzation routines which require an additional period of time to run 
but yield greater accuracy or by examining the timing relationship between the keystrokes which the user em- 
ployed to enter his alleged identity. 

If the test result in step 825 is NO and access is definitely not allowable at the requested level, control is 
passed to step 817, in which SCP 134-1 causes the connection to be refused. Thereafter, control is passed 
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to optional step 819, which journals an unsuccessful access attempt. Then, the method is exited at step 821. 
In an alternative embodiment, if the requester has been successfully authenticated to a lower level of access, 
that level of access may be granted. For example, if the requester of access to the bank's computer success- 
fully supplied an identity code including the PIN portion that corresponds to an authorized user, he will be suc- 
5 cessfully authenticated to authentication level 1 . The requester could then be granted access to perform trans- 
actions up to $200. , j , . , 

Security system 133 must be implemented securely since if its security is breached .t can compromise the 
entire network. However, no other destination need be secured. If security system 133 vouches for the request- 
er it may optionally communicate to the destination information that is specific to the requester, such as the 
10 confirmed identity of the requester. If security system 133 mimics user login information each destination for 
which the user authorized will be supplied with appropriate, but different, login information. Therefore, the com- 
promise of the information forone destination will notcompromise any otherdestination. However, the request- 
er must supply to security system 133 only a single set of login information no matter which destination he 
seeks to access SCP 134-1 of security system 133 will automatically translate the requester supplied login 
15 information to the destination required login information based on its knowledge of the selected destination 
If a higher level of security is required at a later point in the session, SCP 134-1 could.be re.nvoked. Such 
reinvoking could be implemented by having a multi-frequency tone receiver on switching machine 128 moni- 
toring a session between originating station 102 and destination station 114 such that a predetermined tone 
sequence would alert switching machine 128 to the originator's need for additional security processing by SCP 
20 134-1. Information and signalling paths could then be established from the originator and dest.nat.on to SCP 
134-1 by alerted switching machine 128. | . , 

The manner in which a wave is polarized as it passes through a portion of the requester s body or a hand- 
writing sample may also be used as authenticating information. Of course, compatible apparatus must be avail- 
able at the requester's location to obtain each type of authentication from the requester and to transmit a rep- 
25 resentation thereof to SCP 134-1. Apparatus capable of obtaining such information is well known. Such au- 
thentication information would be processed by comparison function 310. 

Shown in FIG. 9 is an example of the call setup messages employed when security system 133 is to provide 
secured access by a user to a particular destination as described above. The call setup messages may be 
both signalling type messages carried by signalling network 138 and information type messages earned by 
so information links 140. Such messages are well known to one skilled in the art. A request at an originating | sta- 
tion, e.g., originating stations 102 (FIG. 1) goes off hook and dials the desired destination, e.g., 1 ^00-BANK. 
The originating LEC switching machine to which the user is connected, e.g., LEC switching machine 120, de- 
termines that the call is an 800 type call handled by the long distance network 118. The handling of conven- 
tional unsecured 800 type calls is well known to one skilled in the art. A message is sent from LEC switching 
35 machine 120 to an originating switching machine in long distance network 118, e.g. switching machine 128 
indicating that there is an incoming 800 type call and the number that has been dialed. 

The originating switching machine forwards the 800 number received to NCP 132 translation to an actual 
destination address, i.e., a destination phone number in the conventional manner. In accordance with an as- 
pect of the invention, NCP 132 forwards a security requirement message to SCP 134-1 because the address 
40 of SCP 1 34-1 was stored in the NCP table, instead of an actual translation of the destination. After it receives 
the security request message, SCP 134-1 knows the source of the request, the destination to which access 
is desired and other parameters obtained SCP 134-1 then determines, by employing its stored profiles what, 
if any additional security processing is appropriate for this communication. 

(/additional security processing is required, SCP 134-1 first sends an authentication request message 
45 which is forwarded through NCP 1 32, originating switching machine 1 28, originating LEC switching machine 
120 to originating station 102. If an alleged identity can not be inferred, the authentication message requests 
that the user provide identification allegation information thereby alleging who the requester is. The requester 
then provides the requested authentication information within a predetermined amount of time or the request 
' is terminated as discussed above. If the requester provided the authentication information that was requested, 
50 the information is forwarded via originating station 102, originating LEC switching machine 120, originating 
switching machine 128 and NCP 132 to SCP 134-1. 

In accordance with an aspect of the invention, SCP 134-1 , upon receiving the authentication- information 
analyzes all the currently information available to it concerning the access request to determine to which, if 
any level of authentication the user has presently successfully authenticated himself. If the requester has not 
55 authenticated himself sufficiently to achieve the desired level of access, SCP 134-1 can send additional au- 
thentication request messages, which are forwarded through NCP 132, originating switching machine 128, 
originating LEC switching machine 120 to originating station 102. These additional authentication messages 
request that the user provide authentication information that can be used to authenticate the alleged identity 
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of the requester. The requester then provides the requested authentication information within a predetermined 
amount of time or the request is terminated. If the requester provided the authentication information that was 
requested the information is forwarded via originating station 102, originating LEC switching machine 120, 
originating switching machine 128 and NCP 132 toSCP 134-1. SCP 134-1, upon receiving the authentication 
information, again analyzes the information available to it concerning the access request and determines to 
which if any level of authentication the user has successfully authenticated himself. If the user has authen- 
ticated himself to a level sufficient for access at the level requested to be granted, such access is granted. 
This process may be repeated n times, where n is a predetermined number selected by the cmplementor. An 
exemplary value of n is 2. . 

Upon successful authentication, SCP 134-1 transmits to originating station 102a proceed message, which 
is forwarded through NCP 132, originating switching machine 128, originating LEC switching machine 120. 
Also a preauthentication message specifying the level of access granted is forwarded to the dest.nat.on sta- 
tion via destination switching machine and destination LEC switch. Optional handshaking messages may then 
be exchanged between destination station 114 and SCP 1 34-1. A complete connection is the then established 
directly from the user to the destination thereby giving the user access to the destination at whatever level 
was previously authorized. SCP 134-1 and NCP 132 are free to process other calls. 

FIGs 10 and 11, when arranged as shown in FIG. 12, depict in flow chart form, an exemplary access re- 
quest by a requester to a destination where the additional security requirements for the granting of access, 
beyond those inherent in the nature of the request, is specified by the requester or the network operators. 
Again the requester is located at originating station 1 02 (FIG. 1). The destination is a sports hot line service, 
which for purposes of this example, is located at destination station 116. For the convenience of the public, 
a pay 'per use premium billing 900-type a6cess number (1-900-SPORTS) is provided under contract with the 
network operators by the purveyor of the hot line service. 

A man Joe Williams, desires to allow access to all 900-type services to the hot line service for himself 
and his wife but not to his two sons who have previously demonstrated an affinity for accumulating large bills 
for the sports hot line service. The man has therefore arranged that security procedures be employed when- 
ever a 900-t"pe call is to be billed to his account and he has supplied to the network operators identifying in- 
formal iont hat is to'be usedfor authenticating the identities of himself and his wife. Other users of his account, 
e g guests at his home using his home phone or the two sons, will be allowed to destinations other than the 
sports hot line. The two sons are also authorized to use the family phone credit card to charge calls thereto, 
but again, notfor use in accessing the sports hotline. Furthermore, only Joe can access a premium information 
service (1-900-INFOSVC). This information has been entered into SCP 134-1. Also, an indication that security 
services are to be invoked for 900-type calls made from his line has been programmed into switching machine 
128 in the same manner as is employed for the well known call block feature. Such programming is well known 

35 by one skilled in the art , 

Accordingly, the method is entered at step 1201 when a requester at originating station 1 02 located in the 
' Joe's home is detected going off hook by switching machine 120. Thereafter, in step 1 203, the resquester dials 
number of the destination to which access is sought. In this example, the requester dials 1-900-SPORTS at 
originating station 102. In step 1205, switching machine 120 receives the dialed digits and recognizes that the 

40 number dialed is an 900-type number for which service is provided via long distance network 118. Such rec- 
ognition may be performed by table lookup and is well known in the art. Switching machine 120, in step 1207 
routes the call to switching machine 128 in long distance network 118. Switching machines 128 recognizes 
that 900-type calls from this line are to be routed to security system 133 instead of NCP 132, in step 1209. For 
purposes of this example, the closest one of SCPs 134 is SCP 134-1. SCP 134-1 receives the call information 

45 on requester signalling link 206. 

Upon receiving the call, SCP 134-1, in step 1211, causes any first level of security processing specified 
by the nature of the request to be performed. A call to the sports hot line that is directly billed has a null first 
level of security processing. Contradistinctively, a call to the sports hot line that is to be charged to a credit 
card requires the first level of security processing inherent in a credit cared call, that is the requirement that 

so a valid credit card number, including the PIN portion, be supplied by the requester. Such a call would initially 
be routed to NCP 132, in the typical manner of a conventional unsecured credit card call. However, instead of 
the well known unsecured credit card verification processor being returned by NCP 132 as the node to handle 
the call, NCP 132 would specify to route the call to security system 133, and more particularly in this example, 

to SCP 134-1. . ,,, 

55 In accordance with an aspect of the invention, conditional branch point 1213 tests to determine if the re- 

quester has successfully met the requirements of the first level of security processing. If the-test result in step 
1213 is NO, control is passed to step 1215 in which SCP 134-1 causes the connection to be refused. Thereafter, 
control is passed to optional step 1217 which journals an unsuccessful access attempt. The method is then 

13 



30 



EP Q 534 673 A2 



exited at step 1219. , „ , , 

If the test result in step 1213 is YES, control is passed to step 1221 in which SCP 134-1 looks up the user 
profile for the alleged identity and determines the predetermined levels of authentication, if any. are required 
to achieve the various levels of access available for this type of call. The determination of the predetermined 
levels is made by access decision unit 208 which employs information supplied from user profile storage 210 
(see Table 5) over link 222. For clarity and brevity it is assumed that for this application of the invention there 
will always be an available alleged identity. This alleged identity is derived either from the line from which the 
request was placed or from a credit card number supplied to meet a first level of security processing, if the call 
is billed to a credit card. In an alternative embodiment, if an alleged identity.can not be derived one may be 
requested as described above in connection with FIG. 8. Table 5 shows a unique identity code for each user 
that could be employed in such an embodiment. In accordance with an aspect of the invention, if no entry or 
a null entry is found in user profile storage 210 for an alleged identity, additional security processing beyond 
the first level is never required for that identity. 

One exemplary way of organizing the security information when multiple users are authorized to use a 
single alleged identity, as in the case of the family, is to arrange for separate profiles for each user that are 
qrouped together. Each such profile would include all the attributes for identtfying the ind.vidual and the con- 
ditions under which various types of access would be granted. The identification information supplied is then 
employed to discriminate among the available profiles to determine which of the authorized users is actually 
calling Upon successful authentication of one of the authorized users, access is then granted or denied in 
accordance with that user's authorization. Such a situation arises when the Williams cred.t card number is 

^accordancewith the principles of the invention, access decision unit 208 of SCP 134-1 tests to deter- 
mine in conditional branch point 1223, if access at the level requested is clearly allowable, clearly not allowable 
or if it is still not sure. This access decision is based on the requirements specified in the storec I user prof e 
(Table 5), the alleged identity and the available call information as described above for step 825 (FIG. 8). In 
accordance with the principles of the invention, if the call was an ordinary long distance call or an 800-type 
of ca| , wn|cn did no{ meet any 0 f the user specified set of attributes required to invoke additional security proc- 
essing beyond the inherent null first level required for such requests, or neither the user nor the network spe- 
cified that there ever be any requirement of additional security processing the test result in step 1223 is YES 
and control is passed to step 1225. The address of a next switching machine to route the call to would be re- 
turned and no security processing would be invoked. SCP 134-1 will convey to the destination the level of ac 
cess that has been granted to the requester above. If the access level is a time limit, the destination for pur- 
poses of timing and enforcing of the access level is switching machine 128. This is accomplished by employing 
the same timing mechanisms employed for billing purposes. The method is then exited via stop 12 9 

In accordance with an aspect of the invention, if the test result in step 1 223 is DON'T KNOW, .nAcabng 
that access decision unit 208 of SCP 134-1 remains unsure as to whether access should be a bwed, control 
is passed to step 1227. The test result during an initial iteration of step 1223 will be DON'T KNOW ,f authen- 
tication information is required before access can be granted. During subsequent iterations of step 1223 the 
test result will be DON'T KNOW if authentication information was previously obtained and a try again tnresn- 
old was reached. Conditional brand point 1227 tests to determine if there remains additional authentication 
information that can be obtained from the access requester or, alternatively, if additional authentication fea- 
tures can be extracted from the information which the requester has already supplied. 

For example if the oldest son, Tom Williams, was attempting to reach the sports hot line, during the initial 
iteration of step 1227 he may sound like his father Joe with nasal congestion. He may therefore be able to 
reach the "try again" threshold for the requested voice print. If Joe was actually calling but he had nasal con- 
gestion he might only be able to meet the "try again" threshold. However, it would be undesirable to deny him 
access since he is an authorized user. Therefore, additional authentication information, in this case .a retina 
pattern, is also stored for Joe in security system 133. If during a request for access to the sports hot line the 
requester reaches the "try again" threshold for the voice print, the retina pattern of the requester can be re- 
quested and obtained for authentication purposes during a subsequent iteration of step 1 227. If he obtained 
retina pattern matches the stored retina pattern, access can be granted and the test result in step 1223 will 
be YES on the next iteration of that step. noM , 

If the test result in step 1227 is YES, in accordance with the principles of the invention, control is passed 
to step 1229 to request additional authentication information from the requester. In accordance with an aspect 
of the invention, this iterative requesting of additional authentication information may be performed without 
the knowledge of the requester, as described above. 

In step 1229 SCP 134-1, as described above, requests that the requester provide authentication infor- 
mation to confirm the requester's alleged identity. For purposes of this example the request is for a voice print 
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from the requester. As described above, other authenticating information maybe requested. 

Conditional branch point 1231 tests to determine if the user has provided the authenticating information 

requested within a predetermined period of time. If the test result in step 1231 is NO, control is passed to step 

1215 in which SCP 134-1 causes the connection to be refused. Thereafter, control is passed to optional step 
5 1217 which journals an unsuccessful access attempt. The method is then exited at step 1219. 

If the test result in step 1231 is YES, control is passed to conditional branch point 1223 in which access 

decision unit 208 of SCP 134-1, tests to determine in the same manner as described above if access to the 

destination is clearly allowable, clearly not allowable or if it is still not sure. If the test result in step 1223 is 

NO, and access is not allowable because the supplied authentication information did not sufficiently match 
w the'store authentication information, according to Table 6, control is passed to step 1215, in which SCP 134- 

1 causes the connection to be refused. Thereafter, control is passed to optional step 1217, which journals an 

unsuccessful access attempt. The method is then exited at step 1219. 

If the test result in step 1223 is YES, because authentication to the level required has been achieved in 

accordance with Table 6, access should be granted and control is passed to step 1225 wherein SCP 134-1 
15 grants the requester at originating station 102 access to the destination 114 as described above. Thereafter, 

the method is exited at step II37. 



Claims 



20 



30 



35 



A method for use in a system that controls the grant or denial of access to- a plurality of destinations, said 
method CHARACTERIZED BY the steps of: 

receiving a request for access to a particular one of said plurality of destinations, said request re- 
quiring a first level of security processing; 
25 determining, based on predetermined attributes of said request, if additional security processing 

beyond said first level is required; and 

prompting said requester, if said additional security processing is required, to provide additional 
authentication information any authentication information that may be received from said requester for 
satisfying said security requirements of said first level. 

2. The method as defined in claim CHARACTERIZED IN THAT authentication information that is supplied 
by said requester intended to be used to satisfy security requirements of said first level is employed as 
attributes of said request in said step of determining. 

3. The method as defined in claim 1 wherein one attribute of said predetermined attributes for said particular 
access request is an alleged identity for said requester. 

4. The method as defined in claim 3 CHARACTERIZED IN THAT said step of determining is preceded by 
the steps of: 

explicitly requesting that said requester supply an alleged identity if an alleged identity for said re- 
quester cannot be inferred; and 

receiving information denoting said alleged identity for said requester. 

5. The method as defined in claim 3 further CHARACTERIZED BY the step of receiving said additional au- 
thentication information by said system as an input for use in authenticating said requester if said addi- 

45 tional authentication information is supplied by said requester. 

6. The method as defined in claim 7 further CHARACTERIZED BY the step of making a comparison between 
said received additional authentication information and previously stored authentication information cor- 
responding to said alleged identity, the result of said comparison for use in determining a level of access 

50 to be granted to said requester. 

7. The method as defined in claim 8 further CHARACTERIZED BY the step of reiterating said steps of 
prompting, receiving and making a comparison forfurther authentication information beyond that already 
received from said requester only if a predetermined authentication threshold was reached in said step 

55 of making a comparison during at least one preceding iteration of said steps of prompting, receiving and 

making a comparison, said authentication threshold being insufficient to achieve said level of access. 

8. The method as defined in claim 8 further CHARACTERIZED BY the steps of: 
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obtaining further authentication information beyond that already supplied by said requester and 
making a comparison between said obtained further authentication informal and previously 
stored TuSnticatrcorresponding to said alleged identity, the resu.tof said oompanson for use ,n de- 

termi ta^^^ 

a compTrtson said authentication threshold being insufficient to achieve said level of access. 

-i-i mpHnod as defined in claim 8 wherein said alleged identity is associated with multiple authorized 
J£ ^"s^^^«^ -ers having his own previously stored authentic at, or > ^rmatK,n 
and ft'can be determined from said received additional authentication informal wh.ch of sa.d mdt.pl. 
authorized users said requester is. 

The method as defined in claim 8 further CHARACTERIZED BY. the steps of: 

retrieving a previously stored profile for said alleged identity; and Dredeter - 

of said particular access request and the result of said comparison. 

*■ a ;r. oiaim 19 CHARACTERIZED IN THAT any requester is granted access if that 

vTously ^red for one of said authorized users associated with sa,d alleged .dentity. 

12 The method as defined in claim 12 further CHARACTERIZED BY the steps of: 

12. wh . ch partjcujar au . hor . 2ed user assodated with said allege d ,«™« iy — .-h«— • 

' S; r^trievina a oreviously stored profile for said particular authorized user; and 

of saw particular access request acid the result of said comparrson. 

13 App.rat u sfc,„seinasy S t.mtha.con.rols.hegr,r,.ord.nialofaccosstoapl Ura lityotd.stinatior,sl133l, 

" '^csS^faZes. [206, 22 2, for access to a particular on. of s„d plurality of destin.- 

essing is required. 

The invention as defined in claim 13 wherein said means for obtaining operates in a manner transparent 
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(g) Improved method for secure access control. 

(57) A requester (102, 104) making a request for 
access to a destination (114,116) is prompted to 
supply additional authentication information, 
beyond that which may be supplied by the 
requester in an attempt to meet a first level of 
security processing specified by the nature of 
the request itself, only if it is determined from a 
predetermined set of attributes of the particular 
access request that additional security proces- 
sing is necessary before access can be granted 
to the destination. 
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